1411 |
2024-08-08 15:33
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware 189.15.73.202
|
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1412 |
2024-08-08 14:42
|
66b274e0e1b95_shapr3D.exe a80b3beac20e2a5d805c51c36ba14a53 Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1413 |
2024-08-08 14:42
|
66b1f63c9578f_doz.exe 07d615115d848b9b21d425e72116537e Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
188.245.87.202 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1414 |
2024-08-08 14:41
|
IEnetworks.hta 948f32b531ba5004430eacb7a1eaa9e3 Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://69.166.230.221/113/sahost.exe
|
1
|
5
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1415 |
2024-08-08 14:40
|
95.hta f85f36a24ed9678e95ba7e369261d581 Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/95/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1416 |
2024-08-08 14:40
|
66b1c36969eae_main.exe 3d04dfed5185e2f62819f0951249e391 Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Antivirus .NET framework(MSIL) ASPack UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.47.227.64
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1417 |
2024-08-08 14:39
|
70.hta d25adfb8a78f72868ee40f379c1d9fe2 Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://192.3.176.138/70/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1418 |
2024-08-08 14:37
|
106.hta 3c35707d9cacb409481600e0b5eed83a Generic Malware Antivirus Downloader PE File DLL PE32 .NET DLL Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/106/sahost.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1419 |
2024-08-08 14:37
|
wecreatednewentertainmenttound... 0016aef348632b4114588b23be613073 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.210.150.33/88/sweetdresswearwithgirlstyle.gIF
|
3
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
192.210.150.33 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1420 |
2024-08-08 14:28
|
hvilkes-receipt.vbs be57d52692dc2ef67f7c35290b424149 Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
s2r.tn(70.38.21.234) 70.38.21.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1421 |
2024-08-08 14:28
|
mygirlistotalchangeswithentire... c29dda8b224f54eeade764fdb7c6bb23 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.109.147/88/greatbiscutforbabieshealthgreatthings.gIF
|
3
servidorwindows.ddns.com.br(189.15.73.202) - malware 192.3.109.147 - mailcious 189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1422 |
2024-08-08 14:26
|
like.exe f40919d4beadd501ea89202a719ab940 Malicious Library PE File PE64 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
2
http://23.94.247.40:7890/OBjb http://23.94.247.40:7890/ga.js
|
2
45.33.6.223 23.94.247.40 - mailcious
|
2
ET MALWARE Cobalt Strike Beacon Observed ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
3.8 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1423 |
2024-08-08 14:26
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware 189.15.73.202
|
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1424 |
2024-08-08 14:26
|
hmay.txt.exe edfad175f97fe91185a1ed5beed5f468 PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName DNS DDNS |
|
2
hmay8500.duckdns.org(12.221.146.138) 12.221.146.138 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1425 |
2024-08-08 14:24
|
sincesheiseverbuildnewthingent... f4b49bfacf066b76dd2f64aa5667e927 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.193.155/xampp/uhj/picturegreatforeveryonetokissherlips.gIF
|
4
servidorwindows.ddns.com.br(189.15.73.202) - malware 3.33.130.190 - phishing 192.3.193.155 189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|